On 12 June 2026, the Spanish Parliament published the draft Ley para el Buen Uso y la Gobernanza de la Inteligencia Artificial (the “Bill”), providing the first detailed view of how Spain intends to supervise and enforce the AI Act in practice.
1. Introduction
The publication of the Bill marks an important milestone in Spain’s implementation of the AI Act. While the Regulation establishes a harmonised framework governing the development, deployment and use of AI across the EU, Member States remain responsible for designating regulators, establishing enforcement mechanisms and implementing sanctions regimes. The Bill addresses precisely those issues.
As discussed in our previous post on the Government’s approval of the draft legislation, the proposal represents a significant step in Spain’s AI regulatory journey. The text published by Parliament now provides considerably greater clarity regarding the supervisory authorities, enforcement powers and governance structures that will underpin the application of the AI Act in Spain.
For organisations developing, procuring or deploying AI systems, the publication of the Bill marks an important shift from regulatory preparation to regulatory enforcement. This article examines the principal features of the draft legislation and their practical implications for businesses operating in Spain.
2. The Key Message: The Focus Is Enforcement
The obligations that apply to providers and deployers of AI systems continue to be found primarily in the EU AI Act. The purpose of the Spanish Bill is to establish the national governance architecture necessary to supervise compliance with those obligations.
In practical terms, the Bill focuses on four key areas:
- designation of national AI regulators;
- creation of AI regulatory sandboxes;
- governance measures for the Spanish public sector; and
- a national sanctions regime for breaches of the EU AI Act.
Businesses therefore should not view the legislation as creating a new compliance framework. Rather, it provides clarity on how existing EU AI Act obligations will be monitored and enforced in Spain.
3. A Decentralised Supervisory Model
One of the most notable features of the Bill is its decision to adopt a decentralised supervisory model.
Unlike the GDPR, where the Spanish Data Protection Agency (AEPD) acts as the principal regulator for most data protection matters, supervision under the AI framework will be shared among several regulators depending on the type of AI system and the sector in which it operates.
This approach reflects the risk-based structure of the EU AI Act and acknowledges that AI systems are increasingly used in areas as diverse as employment, education, financial services, healthcare, border management and the administration of justice.
For organisations operating across multiple sectors, this means AI compliance will increasingly require engagement with more than one regulator.
4. AESIA Emerges as Spain’s Principal AI Regulator
The Spanish Agency for the Supervision of Artificial Intelligence (AESIA) is positioned as the central authority within the new framework.
Under the Bill, AESIA will act as the primary supervisory authority for a wide range of AI systems, including many high-risk AI systems used in education, employment, critical infrastructure and essential services. The agency will also oversee compliance with a number of transparency obligations under the EU AI Act.
Beyond its supervisory role, AESIA will coordinate aspects of Spain’s AI governance framework, manage the national complaints mechanism and operate the country’s principal AI regulatory sandbox.
For many organisations, AESIA is likely to become the primary point of regulatory interaction for AI-related matters.
5. Data Protection Authorities Retain a Central Role
The Bill recognises that many of the most sensitive AI use cases involve personal data, biometric information and surveillance technologies.
As a result, the AEPD and regional data protection authorities are assigned responsibility for supervising a number of AI systems involving biometric identification, categorisation and border-management functions.
This allocation reflects a broader reality that organisations should not overlook: compliance with the EU AI Act does not replace GDPR compliance.
For many AI systems, particularly those involving profiling, automated decision-making or biometric processing, organisations will need to satisfy both regulatory frameworks simultaneously.
6. Financial Services and Sector Regulators Receive New AI Powers
The Bill also allocates AI supervisory responsibilities to existing financial regulators.
The Bank of Spain will supervise certain AI systems used for credit scoring and creditworthiness assessments. The Spanish securities regulator (CNMV) will oversee AI systems used within regulated investment activities, while the Directorate-General for Insurance and Pension Funds will supervise AI systems used for pricing and risk assessment in life and health insurance.
This development is particularly significant because it demonstrates that AI supervision is becoming embedded within existing regulatory structures rather than being treated as a standalone compliance issue.
For regulated firms, AI governance is therefore likely to become part of routine regulatory engagement.
7. A New Complaints and Reporting Framework
The Bill establishes a national complaints mechanism through which individuals and organisations may report suspected breaches of the EU AI Act.
Reports will be channelled through a single-entry point managed by AESIA before being directed to the relevant regulator.
The legislation also introduces protections for whistleblowers who report potential infringements.
Although the system does not grant complainants automatic rights within subsequent enforcement proceedings, it is likely to increase regulatory visibility of AI deployments and facilitate investigations.
Organisations should therefore assume that AI-related complaints from employees, customers, competitors and civil society groups will become a more significant source of regulatory scrutiny.
8. AI Regulatory Sandboxes Become a Permanent Feature
The Bill formally establishes Spain’s AI regulatory sandbox framework.
Regulatory sandboxes are intended to provide organisations with a controlled environment in which innovative AI systems can be tested and validated under regulatory supervision before wider deployment.
The objective is to encourage innovation while reducing legal uncertainty and promoting compliance from the earliest stages of development.
This may prove particularly valuable for start-ups, healthcare innovators, financial technology companies and organisations developing high-risk AI systems.
9. New Governance Requirements for the Public Sector
The legislation introduces several obligations specifically applicable to the Spanish state public sector.
Public bodies will be required to maintain registers of AI systems, provide transparency regarding their use of AI and appoint an AI Officer responsible for coordinating compliance and governance activities.
Although these obligations do not apply directly to private organisations, they provide a useful indication of the governance standards that regulators increasingly expect to see.
As happened with data protection compliance following the GDPR, voluntary adoption of similar governance structures in the private sector may quickly become regarded as good practice.
10. Sanctions: From Compliance to Enforcement
One of the most significant aspects of the Bill is the detailed enforcement framework it establishes to support the application of the EU AI Act in Spain. The legislation not only identifies the authorities responsible for supervision, but also provides them with extensive investigative, corrective and sanctioning powers.
Classification of Infringements
The Bill categorises infringements as minor, serious and very serious.
Very serious infringements are reserved for conduct that creates the greatest risks to individuals and society. These include, in particular, the use of prohibited AI practices and failures by providers to notify serious incidents to the competent authorities. Given the potential impact of such conduct on fundamental rights, public safety and democratic values, these breaches attract the most severe sanctions, including fines of up to €35 million or 7% of worldwide annual turnover for infringements involving prohibited AI practices, and up to €15 million or 3% of worldwide annual turnover for other very serious infringements, whichever amount is higher.
Serious infringements are likely to be of greater practical relevance to most organisations. They include failures to comply with obligations applicable to high-risk AI systems, including deficiencies in risk management, technical documentation, data governance, human oversight, record-keeping and transparency requirements. The provision of inaccurate or misleading information to regulators also falls within this category. Serious infringements may be sanctioned with fines of up to €7.5 million or 1% of worldwide annual turnover, whichever is higher.
Minor infringements generally concern procedural and administrative failures, such as incomplete responses to regulatory requests or failures to provide required information. Although less serious in nature, repeated failures may nevertheless attract increased regulatory scrutiny and may be viewed as evidence of wider governance shortcomings. Minor infringements may result in fines of up to €500,000 or 0.5% of worldwide annual turnover, whichever is higher.
Regulatory Powers and Corrective Measures
The Bill makes clear that enforcement will not be limited to the imposition of financial penalties. Regulators are granted a broad range of corrective powers, including the ability to require remediation measures, restrict the deployment of AI systems, prohibit their use, order their withdrawal from the market and, where necessary, require systems to be disconnected altogether.
The authorities may also adopt interim measures before the conclusion of a formal enforcement procedure where urgent action is required to protect individuals, public safety or other protected interests.
For many organisations, these operational measures may represent a greater commercial risk than any monetary penalty. The suspension of a business-critical AI system can have immediate consequences for operations, customer relationships and revenue generation.
Determining Sanctions and Enforcement Consequences
When determining the appropriate sanction, regulators must consider a range of factors that will be familiar to organisations with experience of GDPR enforcement. These include the nature, gravity and duration of the infringement, whether the conduct was intentional or negligent, previous compliance history, cooperation with the authorities, measures taken to mitigate harm and the impact on affected individuals.
The Bill also establishes limitation periods of one year for minor infringements, three years for serious infringements and five years for very serious infringements. For continuing infringements, the limitation period runs from the date of the last infringing act.
In addition, enforcement decisions may be published through a coordinated mechanism overseen by AESIA and communicated to the European Commission and, where appropriate, other EU AI governance bodies. Consequently, regulatory action may create significant reputational exposure alongside financial and operational risks.
Taken together, these provisions demonstrate that Spain intends to adopt a proactive approach to AI supervision. Organisations should therefore expect regulators to focus not only on technical compliance with the EU AI Act, but also on the effectiveness of their broader AI governance and risk management frameworks.
11. What Organisations Should Do Now
Although the legislative process is still ongoing and amendments remain possible, organisations should not wait for final adoption before taking action.
At a minimum, organisations should:
- identify AI systems currently in use;
- determine whether any systems fall within the high-risk categories under the EU AI Act;
- review governance and accountability arrangements;
- assess supplier and vendor relationships;
- establish incident reporting procedures;
- review transparency obligations; and
- ensure that AI compliance is considered alongside privacy, cybersecurity and broader governance requirements.
The most successful organisations will not be those that merely comply with the AI Act’s technical requirements. They will be those that can demonstrate robust governance, effective oversight and responsible decision-making throughout the lifecycle of their AI systems.
12. Conclusion
The publication of Spain’s AI Governance Bill represents a significant milestone in the implementation of the EU AI Act.
While the Bill does not fundamentally alter the obligations imposed by the European framework, it provides a clear picture of how those obligations will be supervised and enforced in Spain.
The message from the Spanish Government is clear: AI governance is no longer a future regulatory challenge. It is becoming an operational compliance requirement, supported by dedicated regulators, formal enforcement powers and an increasingly sophisticated supervisory framework.
Organisations that begin preparing now will be far better placed to navigate the new regulatory landscape than those that wait for enforcement activity to begin.
